The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. You should upgrade to this new release if you do not take specific session-fixation counter measures in your application.
1.2.6 also fixes some regressions […]
Tags: Uncategorized
Rails 2.0 will include a new default session storage, the CookieStore (source source). What it does is store the clear text "marshalled" session object in a cookie which will be stored on the client side. Here is an example of a new cookie value:
BAh7BzoMdXNlcl9pZGkKIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpG%250AbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–be9c1e802c6cf126c722c68002ccbd5684a96dd9
Well, it is actually not clear text, but Base64 encoding. […]
Tags: Rails · Uncategorized
